{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED087", "name": "[MINED087] Js Always True If (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED087] Js Always True If (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-561 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED088] React Conditional Hook (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SUPC001", "name": "Supply chain \u2014 curl | bash anti-pattern", "shortDescription": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "fullDescription": {"text": "curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"scanner": "repobility", "category": "supply_chain", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/178"}, "properties": {"repository": "millionco/react-doctor", "repoUrl": "https://github.com/millionco/react-doctor.git", "branch": "main"}, "results": [{"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 40473, "scanner": "repobility-threat-engine", "fingerprint": "68ed4b7db7237abfe5d6763ed2c8e6170cbf6f418012d61609f3992d2836133a", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"foobar\" target=\"_blank\" rel={\"noopener noreferrer\"}>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|21|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-no-target-blank.fixtures.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40440, "scanner": "repobility-threat-engine", "fingerprint": "479aef8c38eb0c73aec42475ae2a7bc6af8c1543c1515c2cd05409e1c12c62f4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|35|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/performance/no-large-animated-blur.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40439, "scanner": "repobility-threat-engine", "fingerprint": "bbc0b770370da6ac6415d250cfb533170d59f2ef564ae5e1017a8baf8d784c43", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|15|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/parse-gitattributes-linguist.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40438, "scanner": "repobility-threat-engine", "fingerprint": "30fa13e9bc2ebf4ec9047151ec4d2c850496967ba676540f59b615eaae46485a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|105|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/filter-diagnostics.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 40429, "scanner": "repobility-agent-runtime", "fingerprint": "19d10b0cec8ef0c82fc19da68c4b8f161eb7187a68f68366a97fb68d2a809486", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|19d10b0cec8ef0c82fc19da68c4b8f161eb7187a68f68366a97fb68d2a809486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/state-and-effects/rerender-functional-setstate.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 40428, "scanner": "repobility-agent-runtime", "fingerprint": "72d4f1872ad70b0ece2d35afd2409b362d3eaeccf464d2f7dbcda918e9a713cc", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|72d4f1872ad70b0ece2d35afd2409b362d3eaeccf464d2f7dbcda918e9a713cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/state-and-effects/no-effect-chain.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 40427, "scanner": "repobility-agent-runtime", "fingerprint": "4b5caa5977fa45feeafcecdcd0193d6660287c72e7c83aba58ac1031f566a237", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|4b5caa5977fa45feeafcecdcd0193d6660287c72e7c83aba58ac1031f566a237"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/rules-of-hooks.fixtures.ts"}, "region": {"startLine": 148}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 40426, "scanner": "repobility-agent-runtime", "fingerprint": "8676c855d95075e9685cd6753c3db600d88e9d0f6b91002cfb0a88eaa9747c83", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|8676c855d95075e9685cd6753c3db600d88e9d0f6b91002cfb0a88eaa9747c83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/constants/js.ts"}, "region": {"startLine": 239}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14176, "scanner": "repobility", "fingerprint": "791af850510a51b9c3d50df57ea4e915", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/app/share/badge/route.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 5116, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5113, "scanner": "repobility-agent-runtime", "fingerprint": "b0a5b4926e9524d867d8b7d1df93f8c3fae0bfc7081f4fb357c13a93921f652d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|b0a5b4926e9524d867d8b7d1df93f8c3fae0bfc7081f4fb357c13a93921f652d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/components/terminal.tsx"}, "region": {"startLine": 252}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 5112, "scanner": "repobility-agent-runtime", "fingerprint": "9cd20b985003b5b51e5cc0b9eea9e048062027af6ccf9b5cfcd709e1b2bfbe6e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9cd20b985003b5b51e5cc0b9eea9e048062027af6ccf9b5cfcd709e1b2bfbe6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/app/install-skill/route.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 5111, "scanner": "repobility-agent-runtime", "fingerprint": "3a86736f86761ce8d89fb051f027895d0004d880d26fe70a3f9cbb241784afea", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|3a86736f86761ce8d89fb051f027895d0004d880d26fe70a3f9cbb241784afea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-effect-chain.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5110, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac387f9d555c7c5b3191ad8251fa86aa4264320fb3387ae2834ffde6a5499d8e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/performance/rerender-derived-state-from-hook.ts", "duplicate_line": 65, "correlation_key": "fp|ac387f9d555c7c5b3191ad8251fa86aa4264320fb3387ae2834ffde6a5499d8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/rerender-defer-reads-hook.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5109, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bbb190c74004028dc916062bb787976e98c3b13acade022e27ee0f9d540ae21a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/correctness/no-uncontrolled-input.ts", "duplicate_line": 99, "correlation_key": "fp|bbb190c74004028dc916062bb787976e98c3b13acade022e27ee0f9d540ae21a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/prefer-use-sync-external-store.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5108, "scanner": "repobility-ai-code-hygiene", "fingerprint": "41c11ae927af9ea8663298fb81791426eb4818ad2152f086627774edf629cf9c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/performance/rerender-derived-state-from-hook.ts", "duplicate_line": 65, "correlation_key": "fp|41c11ae927af9ea8663298fb81791426eb4818ad2152f086627774edf629cf9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/prefer-use-sync-external-store.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5107, "scanner": "repobility-ai-code-hygiene", "fingerprint": "074d8d0d9181dc05d3fa2ee42cb04e41ddb6dbfb86d330fb5d9fd0bd4202452d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/correctness/no-uncontrolled-input.ts", "duplicate_line": 99, "correlation_key": "fp|074d8d0d9181dc05d3fa2ee42cb04e41ddb6dbfb86d330fb5d9fd0bd4202452d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-set-state-in-render.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5106, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b474705fad639278aecf63276ae4cd1643288f23d038335ca526f2a6d524cde1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/performance/rerender-derived-state-from-hook.ts", "duplicate_line": 65, "correlation_key": "fp|b474705fad639278aecf63276ae4cd1643288f23d038335ca526f2a6d524cde1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-set-state-in-render.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5105, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3646b7fae6a1ba07cafc137ee4b335ea02a2f3aa0c557769166579448a3ef381", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/correctness/no-uncontrolled-input.ts", "duplicate_line": 97, "correlation_key": "fp|3646b7fae6a1ba07cafc137ee4b335ea02a2f3aa0c557769166579448a3ef381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-mutable-in-deps.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5104, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c31b9d71ae283f63fee1af8c92ff03c339a068755f18329faccce313ed7b95d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/correctness/no-uncontrolled-input.ts", "duplicate_line": 98, "correlation_key": "fp|7c31b9d71ae283f63fee1af8c92ff03c339a068755f18329faccce313ed7b95d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-event-trigger-state.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5103, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7cf63add7cc7aaa11df2646d5f782d50b4a7b65028b3d471f117484da622bc05", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/state-and-effects/no-derived-state-effect.ts", "duplicate_line": 60, "correlation_key": "fp|7cf63add7cc7aaa11df2646d5f782d50b4a7b65028b3d471f117484da622bc05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-effect-event-handler.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5102, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2dd4b247e8cd6d978e35a19a108fadb09f00edcd85bead548a47d4ca63c80e73", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/correctness/no-uncontrolled-input.ts", "duplicate_line": 99, "correlation_key": "fp|2dd4b247e8cd6d978e35a19a108fadb09f00edcd85bead548a47d4ca63c80e73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-effect-chain.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5101, "scanner": "repobility-ai-code-hygiene", "fingerprint": "472b02ed3dfdcceaf82ca7c3274026c0dfd2c6336ec2c6c02801290effaf778a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/performance/rerender-derived-state-from-hook.ts", "duplicate_line": 66, "correlation_key": "fp|472b02ed3dfdcceaf82ca7c3274026c0dfd2c6336ec2c6c02801290effaf778a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-effect-chain.ts"}, "region": {"startLine": 182}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5100, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4318e362c8bfde159aee9e75ed39423ded8c274a51bb671374dcb5f84819dd27", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/correctness/no-uncontrolled-input.ts", "duplicate_line": 99, "correlation_key": "fp|4318e362c8bfde159aee9e75ed39423ded8c274a51bb671374dcb5f84819dd27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/state-and-effects/no-direct-state-mutation.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5099, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c629854de7a1d2855300c1348caa8e3e6396a7ada95c8375fd59d261e68a295e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-doctor/src/plugin/rules/correctness/no-uncontrolled-input.ts", "duplicate_line": 99, "correlation_key": "fp|c629854de7a1d2855300c1348caa8e3e6396a7ada95c8375fd59d261e68a295e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/performance/rerender-derived-state-from-hook.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40419, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b8299c87900758ac92a6a7e17b9c2b1eb55a4406fc3bcc7e557fee828e38bc88", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts", "duplicate_line": 384, "correlation_key": "fp|b8299c87900758ac92a6a7e17b9c2b1eb55a4406fc3bcc7e557fee828e38bc88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts"}, "region": {"startLine": 326}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40418, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0df755b2747e2b8e04823594ce9e0e97e9576da223c7208cc59b1ed765ab5030", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-jsx-as-prop.ts", "duplicate_line": 249, "correlation_key": "fp|0df755b2747e2b8e04823594ce9e0e97e9576da223c7208cc59b1ed765ab5030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts"}, "region": {"startLine": 298}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40417, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d09c3a359a98e084ea10e9bd34be3d44383def7c25239725f1568e622d2c4689", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts", "duplicate_line": 384, "correlation_key": "fp|d09c3a359a98e084ea10e9bd34be3d44383def7c25239725f1568e622d2c4689"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts"}, "region": {"startLine": 578}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40416, "scanner": "repobility-ai-code-hygiene", "fingerprint": "878eb7bce46b9ef5b2bff71a76ad9d1b6e391998601950c73b7252224b01c6b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-jsx-as-prop.ts", "duplicate_line": 249, "correlation_key": "fp|878eb7bce46b9ef5b2bff71a76ad9d1b6e391998601950c73b7252224b01c6b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts"}, "region": {"startLine": 266}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40415, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc5625773b1f57c80ac8a13893d4df0e979031244d9e8d7cf07af499c7b4c0ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-jsx-as-prop.ts", "duplicate_line": 249, "correlation_key": "fp|bc5625773b1f57c80ac8a13893d4df0e979031244d9e8d7cf07af499c7b4c0ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts"}, "region": {"startLine": 356}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40414, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cce41546c417310b75492e6f8370c7ab2107c1b9c644128f0958e49352541e75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-update-set-state.fixtures.ts", "duplicate_line": 246, "correlation_key": "fp|cce41546c417310b75492e6f8370c7ab2107c1b9c644128f0958e49352541e75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-will-update-set-state.fixtures.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40413, "scanner": "repobility-ai-code-hygiene", "fingerprint": "977954ec52544823cecc0724abf417b67e3cdc51097d0eadd6601519b8910272", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-mount-set-state.fixtures.ts", "duplicate_line": 1, "correlation_key": "fp|977954ec52544823cecc0724abf417b67e3cdc51097d0eadd6601519b8910272"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-will-update-set-state.fixtures.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40412, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83b93c51a37b3a884f0e6ab18bce8e991679bfbcc987fbfa4ec9172ff41f1933", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-set-state.fixtures.ts", "duplicate_line": 53, "correlation_key": "fp|83b93c51a37b3a884f0e6ab18bce8e991679bfbcc987fbfa4ec9172ff41f1933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-string-refs.fixtures.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40411, "scanner": "repobility-ai-code-hygiene", "fingerprint": "625d59f85af5ee167c54110970d2b60368aec0dc3d9a3908487ba522fd7d7c53", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-update-set-state.fixtures.ts", "duplicate_line": 149, "correlation_key": "fp|625d59f85af5ee167c54110970d2b60368aec0dc3d9a3908487ba522fd7d7c53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-set-state.fixtures.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40410, "scanner": "repobility-ai-code-hygiene", "fingerprint": "374507334f5cc6f33d5cf4afb5c16c704e253a91c67d60e21c162038fdd0c85a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-mount-set-state.fixtures.ts", "duplicate_line": 8, "correlation_key": "fp|374507334f5cc6f33d5cf4afb5c16c704e253a91c67d60e21c162038fdd0c85a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-set-state.fixtures.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40409, "scanner": "repobility-ai-code-hygiene", "fingerprint": "52a639d93ad41ec9639fbba3596b17f340377491f7933a36ea0a104d7f4fb6dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-mount-set-state.fixtures.ts", "duplicate_line": 1, "correlation_key": "fp|52a639d93ad41ec9639fbba3596b17f340377491f7933a36ea0a104d7f4fb6dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-update-set-state.fixtures.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40408, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f593fc890c9693d0a3405d89e9506cc27bb5b966939de498203a0ab7b10426a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/correctness/no-uncontrolled-input.ts", "duplicate_line": 102, "correlation_key": "fp|f593fc890c9693d0a3405d89e9506cc27bb5b966939de498203a0ab7b10426a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/performance/rerender-derived-state-from-hook.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40407, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6263d0c7fc0b91fd2c382fef2bce0283dce2d401ec1d43acaa3a6d0768e6d863", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/no-interactive-element-to-noninteractive-role.fixtures.ts", "duplicate_line": 22, "correlation_key": "fp|6263d0c7fc0b91fd2c382fef2bce0283dce2d401ec1d43acaa3a6d0768e6d863"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/no-noninteractive-element-to-interactive-role.fixtures.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40406, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b4efe93aa5c3de1a89c67fb46046b703f591ca5fc842cac304c5a9c327081c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/vite.config.ts", "duplicate_line": 8, "correlation_key": "fp|4b4efe93aa5c3de1a89c67fb46046b703f591ca5fc842cac304c5a9c327081c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/vite.config.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40405, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e52ad8f88906d9e0c609bb989ed43190647243c03d763c93d88e8a769a0bfa5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/project-info/count-source-files.ts", "duplicate_line": 30, "correlation_key": "fp|e52ad8f88906d9e0c609bb989ed43190647243c03d763c93d88e8a769a0bfa5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/list-source-files.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 40404, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9190366c545016cf7fa7621c07b41f81fca54da83f9a48b0897b57d5ec773997", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9190366c545016cf7fa7621c07b41f81fca54da83f9a48b0897b57d5ec773997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/no-redundant-should-component-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 40403, "scanner": "repobility-ai-code-hygiene", "fingerprint": "004da93668eae8b8bdfff56cb76de47568a0f44897e0e8a753e102331cbcc332", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "alt", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|004da93668eae8b8bdfff56cb76de47568a0f44897e0e8a753e102331cbcc332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/img-redundant-alt.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 40484, "scanner": "repobility-threat-engine", "fingerprint": "3ce5ab3f73513cded3ecd48d00f08035c017cce01d709b3a9e72975383f22c46", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ce5ab3f73513cded3ecd48d00f08035c017cce01d709b3a9e72975383f22c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/utils/rule-visitors.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 40483, "scanner": "repobility-threat-engine", "fingerprint": "d57f94c2e96069b4a87a7fb2ba46f76103ae7ecd579ffae7064a6551df416baa", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d57f94c2e96069b4a87a7fb2ba46f76103ae7ecd579ffae7064a6551df416baa"}}}, {"ruleId": "MINED087", "level": "none", "message": {"text": "[MINED087] Js Always True If (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 40477, "scanner": "repobility-threat-engine", "fingerprint": "68678eae103831aa958cfe969ba859dc18d66e0f61b71b9464b05830e05511b3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-always-true-if", "owasp": null, "cwe_ids": ["CWE-561"], "languages": ["javascript", "typescript", "tsx", "jsx", "python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348140+00:00", "triaged_in_corpus": 12, "observations_count": 739, "ai_coder_pattern_id": 140}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|68678eae103831aa958cfe969ba859dc18d66e0f61b71b9464b05830e05511b3", "aggregated_count": 1}}}, {"ruleId": "MINED087", "level": "none", "message": {"text": "[MINED087] Js Always True If: if (true) \u2014 else branch unreachable. Likely debug residue."}, "properties": {"repobilityId": 40476, "scanner": "repobility-threat-engine", "fingerprint": "0d673b5746d3d6330f149660f5a4632c4d0fb98b2a26bb3063e8142a3f55c869", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-always-true-if", "owasp": null, "cwe_ids": ["CWE-561"], "languages": ["javascript", "typescript", "tsx", "jsx", "python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348140+00:00", "triaged_in_corpus": 12, "observations_count": 739, "ai_coder_pattern_id": 140}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d673b5746d3d6330f149660f5a4632c4d0fb98b2a26bb3063e8142a3f55c869"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-will-update-set-state.fixtures.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED087", "level": "none", "message": {"text": "[MINED087] Js Always True If: if (true) \u2014 else branch unreachable. Likely debug residue."}, "properties": {"repobilityId": 40475, "scanner": "repobility-threat-engine", "fingerprint": "a47b39f1d960d134a0d8fc0cd9cf7a2affb9da33e6384dfb853383ddd71a072e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-always-true-if", "owasp": null, "cwe_ids": ["CWE-561"], "languages": ["javascript", "typescript", "tsx", "jsx", "python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348140+00:00", "triaged_in_corpus": 12, "observations_count": 739, "ai_coder_pattern_id": 140}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a47b39f1d960d134a0d8fc0cd9cf7a2affb9da33e6384dfb853383ddd71a072e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-update-set-state.fixtures.ts"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED087", "level": "none", "message": {"text": "[MINED087] Js Always True If: if (true) \u2014 else branch unreachable. Likely debug residue."}, "properties": {"repobilityId": 40474, "scanner": "repobility-threat-engine", "fingerprint": "53ddee7da8ce852b4fdbca56610abe688ec751fa260f5f6d293c34a428e127f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-always-true-if", "owasp": null, "cwe_ids": ["CWE-561"], "languages": ["javascript", "typescript", "tsx", "jsx", "python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348140+00:00", "triaged_in_corpus": 12, "observations_count": 739, "ai_coder_pattern_id": 140}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53ddee7da8ce852b4fdbca56610abe688ec751fa260f5f6d293c34a428e127f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-did-mount-set-state.fixtures.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 40472, "scanner": "repobility-threat-engine", "fingerprint": "c7b861e583ac307a045a4715594bddad6120d1192da12ae4db8b30354b56c2ba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c7b861e583ac307a045a4715594bddad6120d1192da12ae4db8b30354b56c2ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-no-script-url.fixtures.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40469, "scanner": "repobility-threat-engine", "fingerprint": "802ffdc387ebcfbe2d6b0735d9c5f6f86a297f799edc6a754b40e963729700a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|802ffdc387ebcfbe2d6b0735d9c5f6f86a297f799edc6a754b40e963729700a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/only-export-components.fixtures.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40468, "scanner": "repobility-threat-engine", "fingerprint": "5767615d86b7de5ad964077fea5e30185926ec32d7b6590adbc3a0b6936a9c93", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5767615d86b7de5ad964077fea5e30185926ec32d7b6590adbc3a0b6936a9c93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-react-children.fixtures.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40467, "scanner": "repobility-threat-engine", "fingerprint": "6ed17000900dc03c25875b165b2b3c31d2616daa036e26653b20a3ccdda19f62", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ed17000900dc03c25875b165b2b3c31d2616daa036e26653b20a3ccdda19f62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-no-constructed-context-values.fixtures.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 40466, "scanner": "repobility-threat-engine", "fingerprint": "e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "aggregated_count": 1}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40465, "scanner": "repobility-threat-engine", "fingerprint": "bcc45a150760bc2f80dde7e2e60560ec20f8ede9fabce4d827674f09fa5ba7a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bcc45a150760bc2f80dde7e2e60560ec20f8ede9fabce4d827674f09fa5ba7a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-multi-comp.fixtures.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40464, "scanner": "repobility-threat-engine", "fingerprint": "fbb00db5131be688025ea3c5228e417ec799dc563673ea201d1061f4b70dca03", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fbb00db5131be688025ea3c5228e417ec799dc563673ea201d1061f4b70dca03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-array-index-key.fixtures.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 40463, "scanner": "repobility-threat-engine", "fingerprint": "bc7914f0b8e5435c5031ddfe91dd4fc8913a0b69b63304661a01dfc7e1c4470a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc7914f0b8e5435c5031ddfe91dd4fc8913a0b69b63304661a01dfc7e1c4470a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-max-depth.fixtures.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40462, "scanner": "repobility-threat-engine", "fingerprint": "2e16be3bfa3e64e925d3ba7131e77820a5491b87166c081a439b78fc61bbf384", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|55|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/performance/rendering-hydration-mismatch-time.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 40461, "scanner": "repobility-threat-engine", "fingerprint": "ac2dd41568113e1d26b364c9c8dc3ac36ed91b44324ae9b0a348e3ee43ab7f24", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ac2dd41568113e1d26b364c9c8dc3ac36ed91b44324ae9b0a348e3ee43ab7f24", "aggregated_count": 14}}}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 40460, "scanner": "repobility-threat-engine", "fingerprint": "eeb3769719e404afc290d004a1fbc80c9e306ebead7484a5464b639f27668701", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eeb3769719e404afc290d004a1fbc80c9e306ebead7484a5464b639f27668701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/nextjs/nextjs-no-client-side-redirect.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 40459, "scanner": "repobility-threat-engine", "fingerprint": "f5b07ff11a0e2d163a929223d28e7582821b18222676ab1f28c92433a8a9650a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5b07ff11a0e2d163a929223d28e7582821b18222676ab1f28c92433a8a9650a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/nextjs/nextjs-no-client-fetch-for-server-data.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 40458, "scanner": "repobility-threat-engine", "fingerprint": "7dac927bdf46c275d6a53ab2da356e16fb201d9ee91c4b227867f3bae48d60f1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7dac927bdf46c275d6a53ab2da356e16fb201d9ee91c4b227867f3bae48d60f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/js-performance/js-hoist-intl.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 40457, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 40456, "scanner": "repobility-threat-engine", "fingerprint": "e4efd43268a4d2297b9ad3acfe2da3d2d60ba715dfc22849dab57e30635567f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4efd43268a4d2297b9ad3acfe2da3d2d60ba715dfc22849dab57e30635567f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/no-noninteractive-element-to-interactive-role.fixtures.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 40455, "scanner": "repobility-threat-engine", "fingerprint": "341bf39dcd98ed39f32567c4ad65463325df9db6c43bcdf2af85a7f49495e636", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|341bf39dcd98ed39f32567c4ad65463325df9db6c43bcdf2af85a7f49495e636"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/interactive-supports-focus.fixtures.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 40454, "scanner": "repobility-threat-engine", "fingerprint": "491009483ca796216c09ff7d34fc895374d46c075b4abd3960675028fbf353d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|491009483ca796216c09ff7d34fc895374d46c075b4abd3960675028fbf353d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/click-events-have-key-events.fixtures.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 40453, "scanner": "repobility-threat-engine", "fingerprint": "dd55ce3a9f3f9694552e8f4756890f4a32ddb6947f938d3ce6625eb2c930cc47", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dd55ce3a9f3f9694552e8f4756890f4a32ddb6947f938d3ce6625eb2c930cc47", "aggregated_count": 7}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 40452, "scanner": "repobility-threat-engine", "fingerprint": "5ad29dc5ce4463cbb190495a9e269f037d4799e6ab816ab36a7304d8aced952d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ad29dc5ce4463cbb190495a9e269f037d4799e6ab816ab36a7304d8aced952d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-danger-with-children.fixtures.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 40451, "scanner": "repobility-threat-engine", "fingerprint": "5e66527caa9d5dfd1d275a3a49ecaadbb7ad10a137985d4950dcbf2ec1ef3f4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e66527caa9d5dfd1d275a3a49ecaadbb7ad10a137985d4950dcbf2ec1ef3f4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/heading-has-content.fixtures.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 40450, "scanner": "repobility-threat-engine", "fingerprint": "38ee87b851d3e569cb9d87e76161d1b4442247fb37be62d6af6eaca9a42eb89b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38ee87b851d3e569cb9d87e76161d1b4442247fb37be62d6af6eaca9a42eb89b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/__fixtures__/anchor-has-content.fixtures.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 40449, "scanner": "repobility-threat-engine", "fingerprint": "b7c14669017ac17f4db12a528258a3816694f17f5dd761479089aa28c6c6fa10", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b7c14669017ac17f4db12a528258a3816694f17f5dd761479089aa28c6c6fa10"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 40445, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 40441, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 40437, "scanner": "repobility-threat-engine", "fingerprint": "fd5263f259df18a6d881fa012e78c00f0f8814bd1b866788a5442afaae3a615d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fd5263f259df18a6d881fa012e78c00f0f8814bd1b866788a5442afaae3a615d", "aggregated_count": 19}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40436, "scanner": "repobility-threat-engine", "fingerprint": "9cee41bae5d2952418448206fcf852b936cb907e3c5299e0ccf6745c3cc6a087", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9cee41bae5d2952418448206fcf852b936cb907e3c5299e0ccf6745c3cc6a087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/a11y/control-has-associated-label.ts"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40435, "scanner": "repobility-threat-engine", "fingerprint": "894fe6f87689efe8ae6192e01b257d01eda0b29663c408a759b893cca2ef6ec4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|894fe6f87689efe8ae6192e01b257d01eda0b29663c408a759b893cca2ef6ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/match-glob-pattern.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40434, "scanner": "repobility-threat-engine", "fingerprint": "5d4c2b73dd200a541cd0ae7b5aa34c132892ad564ab706688b80b66594fb954f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d4c2b73dd200a541cd0ae7b5aa34c132892ad564ab706688b80b66594fb954f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/calculate-score.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 40433, "scanner": "repobility-threat-engine", "fingerprint": "9d7350027374ebe62f4d747e478eca80ef54bedb43dadb56de7cb7e0ed9e40a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9d7350027374ebe62f4d747e478eca80ef54bedb43dadb56de7cb7e0ed9e40a8", "aggregated_count": 17}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40432, "scanner": "repobility-threat-engine", "fingerprint": "24e2c4740b91943eeb4caa4166c86a1b7e8efc48f2e89327c48a0c700ecebb34", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|24e2c4740b91943eeb4caa4166c86a1b7e8efc48f2e89327c48a0c700ecebb34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/load-config.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40431, "scanner": "repobility-threat-engine", "fingerprint": "94036028674c2ebf4d6591627aa780e712709815326b2c23a96a4bcde6c083fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94036028674c2ebf4d6591627aa780e712709815326b2c23a96a4bcde6c083fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/calculate-score.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40430, "scanner": "repobility-threat-engine", "fingerprint": "b79b99c4d72363a8ecd889ff221c7d47678a6f90bc6f18af22c072caaa6d6191", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b79b99c4d72363a8ecd889ff221c7d47678a6f90bc6f18af22c072caaa6d6191"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/diagnose.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5115, "scanner": "repobility-threat-engine", "fingerprint": "c2d709234ac797bd90a204c6db6c887786b412892e645cad7b310d7501899f66", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|292|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/components/terminal.tsx"}, "region": {"startLine": 292}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5114, "scanner": "repobility-threat-engine", "fingerprint": "f78b7a3c5f5c7c1b93d00e1d5ed6fd1deafe1f701e2500eef5dbe1076aee28eb", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|29|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/plugin/rules/performance/rendering-hydration-mismatch-time.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 40486, "scanner": "repobility-threat-engine", "fingerprint": "aaf55b64439f2392dd5264a158749e44a617339a5f3d49573c60b521852e2c4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aaf55b64439f2392dd5264a158749e44a617339a5f3d49573c60b521852e2c4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/website/src/app/api/score/route.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40482, "scanner": "repobility-threat-engine", "fingerprint": "1d1044ce47a437f0b4a228f9b71204776c22dcdc6e5a910174906b3a083714de", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1d1044ce47a437f0b4a228f9b71204776c22dcdc6e5a910174906b3a083714de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/cli/index.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40481, "scanner": "repobility-threat-engine", "fingerprint": "7a3c35bf22a71cb7d2fcb3c4e81a73bbbc2d49cf7f5ab945dfdaed92b7e1db0c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a3c35bf22a71cb7d2fcb3c4e81a73bbbc2d49cf7f5ab945dfdaed92b7e1db0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/state-and-effects/rerender-defer-reads-hook.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40480, "scanner": "repobility-threat-engine", "fingerprint": "7f3aecaa4634746d3ddbbdd6837b9e17b6fdafb9157c0ba48a48edb99a486e9b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7f3aecaa4634746d3ddbbdd6837b9e17b6fdafb9157c0ba48a48edb99a486e9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/server/server-hoist-static-io.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 40478, "scanner": "repobility-threat-engine", "fingerprint": "e739932aa42f650f049d4cb00aa57225605d54ad6eb42cb1d3e0bc1a9ab86030", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e739932aa42f650f049d4cb00aa57225605d54ad6eb42cb1d3e0bc1a9ab86030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/no-direct-mutation-state.fixtures.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40448, "scanner": "repobility-threat-engine", "fingerprint": "55110f48fe4b0ce4c37fec5a1b036587d98b175f36e3686a4c59d22b8102c78e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((extension) => `.${extension}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55110f48fe4b0ce4c37fec5a1b036587d98b175f36e3686a4c59d22b8102c78e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/jsx-filename-extension.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40447, "scanner": "repobility-threat-engine", "fingerprint": "2f66f535388b58a488ea9f5fbe576986cfb72ecb96f7ebf061edb2da6311a681", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((source) => `\"${source}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f66f535388b58a488ea9f5fbe576986cfb72ecb96f7ebf061edb2da6311a681"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/bundle-size/no-barrel-import.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40446, "scanner": "repobility-threat-engine", "fingerprint": "9aaafd9cea826e7842cdc6a53842b27e6f7271de50ce477780cda9cf766f1d50", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((entry) => `import { ${entry.identifier} } from \"${entry.relativeImport}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9aaafd9cea826e7842cdc6a53842b27e6f7271de50ce477780cda9cf766f1d50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/scripts/generate-rule-registry.mjs"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40444, "scanner": "repobility-threat-engine", "fingerprint": "81701080db41dbb8d4d38052833ef1e8ab408e3026be7f7a8672ecc863b1be47", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|81701080db41dbb8d4d38052833ef1e8ab408e3026be7f7a8672ecc863b1be47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/parse-gitattributes-linguist.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40443, "scanner": "repobility-threat-engine", "fingerprint": "2d5bc5e1224e556dded5757acb55db06f94c4e64be5be72d6319684a872a8049", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(relativePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d5bc5e1224e556dded5757acb55db06f94c4e64be5be72d6319684a872a8049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/is-test-file.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40442, "scanner": "repobility-threat-engine", "fingerprint": "31f63ed4b1deab677e9480d2291f98a4936750cb4acfc7d4f5a95319d66648d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(lines", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|31f63ed4b1deab677e9480d2291f98a4936750cb4acfc7d4f5a95319d66648d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/filter-diagnostics.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 40425, "scanner": "repobility-supply-chain", "fingerprint": "06b606f75a95ed5377e85b8c604f197847b68b696a7f647fd0c35ed513b0b5a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06b606f75a95ed5377e85b8c604f197847b68b696a7f647fd0c35ed513b0b5a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 40424, "scanner": "repobility-supply-chain", "fingerprint": "b86e3133f9e65a444e1673102bd7b3d9ad2019afd3bdbd9d3af3db935915d7c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b86e3133f9e65a444e1673102bd7b3d9ad2019afd3bdbd9d3af3db935915d7c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40423, "scanner": "repobility-supply-chain", "fingerprint": "623c66181bdc87ed634208b5f31e0cf863b3ac63c98089d970c6fed17bc6c5c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|623c66181bdc87ed634208b5f31e0cf863b3ac63c98089d970c6fed17bc6c5c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 40422, "scanner": "repobility-supply-chain", "fingerprint": "13bc59d611a4578246cf99cadc4ded09b5d3dafd8ba816575070752972dd36bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13bc59d611a4578246cf99cadc4ded09b5d3dafd8ba816575070752972dd36bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-leaderboard.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 40421, "scanner": "repobility-supply-chain", "fingerprint": "f6ee1be18f1dedeb0d6240f7aaa1857755848128dc5828dfdb83843cf23ab89c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6ee1be18f1dedeb0d6240f7aaa1857755848128dc5828dfdb83843cf23ab89c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-leaderboard.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40420, "scanner": "repobility-supply-chain", "fingerprint": "6a851303941b3ca8c4aeedcc3ffa8ebc0de019937314a6da2e747ccba8bf0517", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a851303941b3ca8c4aeedcc3ffa8ebc0de019937314a6da2e747ccba8bf0517"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-leaderboard.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15552, "scanner": "repobility", "fingerprint": "52347971b19a985d36bdec6c735128b0", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "curl -fsSL ${AMI_INSTALL_URL} | bash", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/cli.ts"}, "region": {"startLine": 287}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 40485, "scanner": "repobility-threat-engine", "fingerprint": "3741d8625e05ff1c4564af5408efd840c327e004e79ba4ff7972984946f8614e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(PROMPTS_MULTISELECT_MODULE_PATH", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3741d8625e05ff1c4564af5408efd840c327e004e79ba4ff7972984946f8614e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-doctor/src/cli/utils/prompts.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 40479, "scanner": "repobility-threat-engine", "fingerprint": "de09c7e56d93efadab27c78d681b107cfec936b87dd618f006810d71fe8df476", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de09c7e56d93efadab27c78d681b107cfec936b87dd618f006810d71fe8df476"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/security/no-eval.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 40471, "scanner": "repobility-threat-engine", "fingerprint": "f2181a67229e614384132351987c54779eaf466e27507ab65a205b6f31494c46", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2181a67229e614384132351987c54779eaf466e27507ab65a205b6f31494c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/security/no-eval.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 40470, "scanner": "repobility-threat-engine", "fingerprint": "e4bf397a91afe01c4ed520e9ad4bdc50933c987954542a84e4c53fc125bb6d33", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4bf397a91afe01c4ed520e9ad4bdc50933c987954542a84e4c53fc125bb6d33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/oxlint-plugin-react-doctor/src/plugin/rules/react-builtins/__fixtures__/jsx-no-new-function-as-prop.fixtures.ts"}, "region": {"startLine": 35}}}]}]}]}